You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@jackrabbit.apache.org by re...@apache.org on 2020/02/05 10:07:17 UTC

svn commit: r1873615 - /jackrabbit/site/trunk/src/site/markdown/index.md

Author: reschke
Date: Wed Feb  5 10:07:17 2020
New Revision: 1873615

URL: http://svn.apache.org/viewvc?rev=1873615&view=rev
Log:
OAK-8870: update news

Modified:
    jackrabbit/site/trunk/src/site/markdown/index.md

Modified: jackrabbit/site/trunk/src/site/markdown/index.md
URL: http://svn.apache.org/viewvc/jackrabbit/site/trunk/src/site/markdown/index.md?rev=1873615&r1=1873614&r2=1873615&view=diff
==============================================================================
--- jackrabbit/site/trunk/src/site/markdown/index.md (original)
+++ jackrabbit/site/trunk/src/site/markdown/index.md Wed Feb  5 10:07:17 2020
@@ -35,6 +35,20 @@ more information.
 Apache Jackrabbit is a project of the [Apache Software Foundation](http://www.apache.org/)
 
 ## Apache Jackrabbit News
+#### February 5th, 2020: CVE-2020-1940: Apache Jackrabbit Oak sensitive information disclosure vulnerability (updated)
+We just fixed a recently reported vulnerability in Apache Jackrabbit Oak:
+The optional [initial password change and password expiration features](https://jackrabbit.apache.org/oak/docs/security/user/expiry.html) are prone to a
+sensitive information disclosure vulnerability. The code mandates the changed password to
+be passed as an additional attribute to the credentials object but does not remove it upon
+processing during the first phase of the authentication. In combination with additional,
+independent authentication mechanisms, this may lead to the new password being disclosed.
+Mitigation: 1.12.0 - 1.22.0 should be upgraded to [1.24.0](downloads.html#latest). 1.10.x should be upgraded to [1.10.8](downloads.html#oak1.10).
+1.8.x should be upgraded to [1.8.20](downloads.html#oak1.8).
+1.6.x should be upgraded to [1.6.20](downloads.html#oak1.6).
+For older maintained and affected branches (1.2.x and 1.4.x), patches
+are available and releases will follow. See [OAK-8870](https://issues.apache.org/jira/browse/OAK-8870)
+for more information.
+
 #### February 5th, 2020: Apache Jackrabbit Oak 1.6.20 released
 Jackrabbit Oak 1.6.20 is a patch release that contains fixes and
 improvements over the previous 1.6.x release. See the